The notes of Justin Abrahms

Search

SearchSearch

Recently updated

Challenges in open, self-sovereign identity

Aug 25, 20242 min read

Self-sovereign identity

Challenges in open, self-sovereign identity

Talk by Tom Marble, http://info9.net/wiki/tmarble/ Seen at FOSSy, 2023

What is it?

Ten Principles of Self-Sovereign Identity by Christopher Allen (he puts on the rebooting “web of trust” conference)

His goals are:

  1. Share messages and files securely (combat deep fakes)
  2. Autheniticate with third party services
    • non-correlation (prevent identity merging)
    • with multiple personas
  3. Opt-in, discoverable identity (white pages, pub keyservers)
  4. User friendly and intuitivie (does the right thing)
  5. Self-hosted or delegated (does not require a third party)

Thought experiment:

  • Open every email in a container
  • Open every web page in incognito mode
  • access via VPN/Tor

Evil32: Attack which generates gpg keys which match the last 32 bits of a target key. Useful to skirting something by unsuspecting folks

Out of scope for him:

  1. Application transparancy
  2. FOSS signing
  3. Micropayments
  4. “app permissions”/selective disclosure
  5. legal electronic signatures (e.g. not docusign)
  6. SPM (filter on authenticated sender)

Current problems / approaches

  • email is identity (forgot password)
    • human meaningful, but not secure or “decentalized”?
    • can easily be spoofed
  • x.509 weaknesses, MiTM, Certificate transparency
  • DID
    • (often) on chain (and blockchain is bad)
    • asymmetric ownership/control
      • Aren’t good DID resolvers that are open source
      • You can solve this in the small, but this isn’t a solution across the whole internet w/o using blockchain (and blockchain is bad)
    • DID resolution under specified (DIDweb)
  • Managing passwords is hard, so we delegate to big companies or password managers
  • surveillance capitalism, “Real Name” policy, DNT (Do not Track) is advisory

DID & VC: Untangling decentralized identifiers and verifiable credentials for the web of trust

Current approaches:

  • SQRL: Secure Quick Reliable Login
  • FIDO2: like SQRL. Used in WebAuthn, CTAP2=yubikeys
  • Passkeys, designed to eliminate the shortcomings of FIDO or single-device credentials
  • European Digital Identity (EUDI)

Q: What’s the name of breaking a public key into parts and giving them to a bunch of folks for recovery? A: Key Sharding

Challenge: Zooko’s Triangle

Tech is not sufficient

  • Awareness (how do we get people to care?)
  • Competition (competing against proprietary solutions & government)
  • Leaking Correlation (“self-ssufficiency theater”, Pamela Dingle, Directory of identity standards at Microsoft; It’s hard not to leak correlation info like email, birth date, phone, ssn).

How open source can help

Speaker is currently working on “Betrusted”, an open source/open hardware device which is kinda like a phone, but it’s scoped down just for secure messaging. It’s using “Xous”, a

  • yes: wifi
  • no: camera, microphone, bluetooth

Graph View

Backlinks

  • No backlinks found